Posted
by
timothy
on Thursday April 14, 2005 @06:59PM
from the irs-is-a-nest-of-worms dept.

Slashback this evening with another batch of updates and responses to previous Slashdot posts, including: how Firefox users can avoid post-cookie Web tracking (for now), more on open-source graphics drivers, and an alarm clock that sounds perfect for annoying a spouse. Read on for the details.

Does he feel like Reese Witherspoon?Joe 'Zonker' Brockmeier writes "After many years of trying, Branden Robinson has finally won the Debian Project Leader election. Linux Magazine has an in-depth interview with Robinson about his plans as DPL, the problems that face Debian, and what it's like to finally win the
election."

Objection 0.1 adds a 'Local Shared Objects' line to Firefox's Options > Privacy panel, allowing you to delete them as easily as you'd delete cookies. It's still pretty rudimentary - all or nothing deletion, working on Windows only - but Slashdotters are more than welcome to improve it. Since Local Shared Objects have the same functionality as cookies, we need the same amount of control over them as we do over cookies - and built into the browser, not tucked away in some obscure Macromedia page."

The response (and further comment) clarifies the current Unichrome driver situation and whilst welcoming VIA's move suggests that VIA should become more involved in existing open source projects rather than simply issuing repeated grand sounding press releases. The Unichrome project has provided and supported a full open source driver, including MPEG support, for the Unichrome and Unichrome Pro chipsets for the past two years."

But this implies that 'perky' is the desired state.
dhalsim2 writes "Yahoo reports of a Smart Alarm Clock Set for Perky Wakeups. On the heels of Clocky comes this new alarm clock that will monitor a sleeper's brain waves to determine the best time to wake him up. The device uses a microprocessor within a headband that wirelessly transmits brainwaves to the clock. When the person is in a light sleep and is likely to wake up 'perky,' the alarm will go off. Brain wave monitoring? Sounds a lot like Plankton's Plan Z."

on the heels of this, comes news of a Smart Alarm Clock for Perky Wakeups...

Yes, but make sure you don't get the Darth Vader edition of the Smart Alarm Clock for Perky Wakeups.

That one not only reads your brain waves, but instead of adjusting itself to help you, it uses the dark side of alarm clock force to ring just a little bit too much... and then on alternate Tuesdays it doesn't wake you up at all and laughs in an evil way when you finally regain conciousness... plus it always broadcasts CNN.

When the snooze bar is pressed, Clocky rolls off the table and finds a hiding spot, a new one every day.

I really don't get the idea behind that. When I need to get up, I set a second alarm on the other side of the room (these days it's "at x:yyam\n xmms -p" on the command line, but same idea). I have to get up to turn it off, regardless of whether it "hides" or not.

First one wakes me up, I turn it off and snooze for ten, second one fires off and I have to get up to turn it off. Very simple.

I have blogged on this repeatedly and even mentioned a good article [dynadco.com] which should give some perspective on this whole cookie question. Its not that cookies are such a bad thing when used correctly. Some people dont want to use them and thats fine. For them let them log in repeatedly and see ads that arent relevant or contextual to what they have been doing or watching. Coming up with another way of tracking users isnt the problem. The problem is that users are scared of the tracking. Educate the masses on the benefits and advertisers would see positive results. Who knows maybe they wouldnt have to resort to making ever more annoying advertisements just to try and snare my attention.

How about advertisers can go fuck themselves? How about I'm going to employ every blocking technology I can get my hands on because it's none of your damn business? How about I'll delete all my cookies at the end of a session except the ones that I whitelist to leave alone? I want to know why people, advertisers in particular, are so damn interested in what I choose to do with my computer? Fuck off you assholes. I want to do my shit and be left the fuck alone. Okay? You can't have my money. Go to fucking he

Educate the masses on the benefits and advertisers would see positive results. Who knows maybe they wouldnt have to resort to making ever more annoying advertisements just to try and snare my attention.

And no doubt spammers worldwide would suddenly see the errors of their ways and spam no more, give that targetted ads driven by tracking cookies were suddenly so effective...

I'm sorry, I can't see it. Advertising is not an industry known for it's string ethical stance, and let's face it, such plagues as popups and flash ads were rife long before most people started disabling cookies.

Logging in isn't such a big problem. I allow session cookies where they have a clear and useful purpose, so I only have to click that button once or twice a day.

According to the site's owner and advertisers, which outvotes *you* at least two to one.

> For my ad blocking to be considered> theft, I would have to have made a> formal agreement.

Not really. If you do something that costs me money, and you *know* it's going to cost me money, and I haven't agreed to let you do it, most legal precedents I've seen seem to be in agreement that you are in fact liable.

Of course, nobody is going to sue you for two bucks, so it doesn't make much

According to the site's owner and advertisers, which outvotes *you* at least two to one.

That presumes that my computer is a democracy and that you and your advertisers are citizens of it and have votes. I know that none of you paid for the hardware, nor for the electricity or connection costs, so it's "no representation without taxation" as far as I'm concerned.

But assuming for a second that your logic is sound: There are you and your advertisers on the one hand. That's ho

> That presumes that my computer is a> democracy and that you and your> advertisers are citizens of it and> have votes.

Nope. It presumes that your connection to my web site is a shared property, because you are on one end and I am on the other, and if either end is dropped the connection doesn't exist. Your end of the connection contains exactly one person: you. My end, on the other hand, contains all the people involved in the maintenance of the site. So you get one vote on how this connection

Let me spell it out for you. My company *used* to do web advertising. We never used popups. We never installed malware. We just wanted people to accept a cookie so we could gather data.

Unfortunately, people were so reluctant to accept cookies, we couldn't gather valid data. We'd have twelve thousand impressions in a week, and only two hundred cookies returned. So no matter *how* much we wanted to cater to people's preferences, we didn't have the information to do it.

Oh no I'm very well educated in what happens with the data collected. I've seen way to many cookies used to follow me around the net. Gage my surfing habits, then once certain companies compile the data in reference to my IP number, Internet account etc. All that remains is to let their servers get broken into and the lives and lifestyles of now it seems hundereds of thousands (not the original thousands as we were told originally) of Americans are wide open to identity theft. Not that the cookies were t

Its not that cookies are such a bad thing when used correctly. Some people dont want to use them and thats fine. For them let them log in repeatedly and see ads that arent relevant or contextual to what they have been doing or watching.

That's why I have my browser set to ask me what I want to do with cookies, then I use per-site allow/block settings depending on whether I need to log in or not. If I don't need to log into it, or don't need settings to persist, then I don't let the cookies get set. (Alth

It's just I really DON'T want people knowing I spend 40% of my time on slashdot. I don't have a reason in particular, I just DON'T. I place a significant value on NOT having information about be spread willy nilly everwhere.

Regarding Javascript, I REALLY don't like the idea of my browser automatically running code that someone else has written without me having the chance to check it out first. I don't think javascript is evil as a language, I just don't like the idea of going to a website and blindly running code from there. I don't care that it's in a sandbox -- all it takes is one exploit for the code to break its way out of the sandbox and boom. (And hopefully I'm running Linux and the developer is too focused on Win32 for his payload to do anything once it's out of javascriptland, but you never know.)

Seriously, I'm never going to put instant, blind trust in anything online until I've checked it out first, and even then on general principles I won't enable cookies or jscript unless there's a compelling reason to do so.

I don't think javascript is evil as a language, I just don't like the idea of going to a website and blindly running code from there. I don't care that it's in a sandbox -- all it takes is one exploit for the code to break its way out of the sandbox and boom.

I think we should try to design trustworthy sandboxes for using javascript because the problems you list could just as well apply to other incoming files from the net such as images, or html. I know that these types of file are not usually considered

Javascript makes a browsing experience a lot more powerfull. DHTML is fun to program and to use. Do you inspect the code for all the software you run on your computer? If you are that paranoid about exploits you should use Links [wikipedia.org] because your browser of choice is far more likely to have an exploit. Or you could simply excersise a little surfing common sense by not visiting sites that are likely to take advantage of an exploit. It's pretty simple to realize that by clicking on a free pron banner that you are

Cookies are very useful for session management. The only other real way to do session management is through URL rewriting, which is ugly and has more security problems than cookies. And many websites do need session management. Anything where you log in, anything where you have a shopping cart, etc, pretty much need a cookie. Javascript may be another story, but cookies are needed for many websites to work.

Why is it that no one uses the HTTP authentication mechanism for logins, and instead makes cookies do the job?

Because the standard HTTP authentication mechanism is a bit... Crap?

The standard, most widely supported 'Basic' version makes the browser send the username and password in plaintext on every page request. Okay, without SSL, any login mechanism will transmit the password at least once, but 'Basic' makes it a bit too easy for packet sniffers and the like.

There is no way that a cookie is relaying your email information. They only way a site can even look at a cookie is if they set it. Otherwise its a no go. The only way a cookie could contain your email address is you gave it previously to that site. In which case thats the source of your spam

That's what companies like DoubleClick do, and MSN pulls tricks to allow the cookies to work across domains.

And it's tied to the domain of the site placing it, not the IP. Many sites have an image from the ad trackers (a single, invisible pixel, aka web bug) for placing the cookie. Those images can also be in e-mails that are rendered as HTML (look below the final </html> in the message source, they're commonly there)

Don't go giving out your email address to just any site. Read their privacy policy and/or give them a throw away email address (ie: hotmail, gmail). Cookies aren't generally used for transfering private information from one site to another. They are more commonly used to track ad revenue.
1) Surfing on site A
2) Click a link to site B
3) Signup/purchase on site B
4) Site A gets a piece of the revenue
Is that so evil? No. Site A supplied the

FWIW, I know that I feel much better after four hours of sleep than I do after six; I always assumed that the reason the extra sleep left me groggy was that I was being jarred awake from deep sleep (details here [upmc.com]). I find sleep fascinating, and always enjoy reading the disussions on it -- especially on how to get the most out of it. It seems like quite a safe tuning parameter to optimize, and a lot easier to get into than nootropics [ceri.com].

Do you know if that works?
Looks interesting - If I'm not woken during a light sleep-phase I am completely wasted myself, it would be nice to have something to help;)

It actually does work really well. I bought one (read about my experience here on my blog [cazz.org]).

It does sense when I'm mostly awake and starts beeping which fully wakes me up. I'ts still an exercise to pull myself out of the soft, warm, fluffy bed at 6:30 in the morning. Goddamn corporate job, sucking the life right out of me!

On the heels of Clocky comes this new alarm clock that will monitor a sleeper's brain waves to determine the best time to wake him up. The device uses a microprocessor within a headband that wirelessly transmits brainwaves to the clock. When the person is in a light sleep and is likely to wake up 'perky,' the alarm will go off.

What if I go to sleep late? Will this thing let me sleep till 2PM? I don't really understand the use of this thing.

The device monitors how deeply you are sleeping, if you are dreaming, etc. If you are woken up when you are sleeping lightly you are likely to wake up quickly, but if your alarm interrupts a dream you tend to wake up slowly and more tired. Have you ever woken up early and felt ready to go, but felt like sleeping til your alarm goes off... then when it does you feel tired? This prevents that by picking a time close to your target wakeup time (but before your cutoff time) when you are the least likely to wake up tired.

That's what it sounded like to me -- that you'd set it for a time range, long enough to be pretty confident of hitting a light-sleep phase. It sounds like a really great idea; something I think I'd love to have. I just have one question:

Okay... and when does the alarm go off? When I'm in the optimal light-sleep phase, or when she is? (I thought that part of the question would have been obvious from my original post.)

I'm thinking the real solution would be to have small speakers mounted the headband itself, right near the wearer's ears, with the alarm only loud enough to wake up that person; then we could each have one and both benefit.

Agreed. I will not purchase an ATI drive until they release a top notch driver (with similar quality to nVidia's official linux drivers) on a regular basis...

Currently, nVidia has a stronghold on the linux market and it shows. It is simply ridiculous that I cannot buy a new model ATI card, plug it in, and have it work with video games under linux. Not only is it ridiculous, it is embarassing.

I like their script that overwrites your xorg.conf file. That thing is great. It breaks my keyboard, my mouse, assigns arbitrary and wrong refresh rates for my monitor, and a couple other things I'm too tired to think of right now. Last time it didn't even work.

I'll give the Free software thing a try soon, but it hasn't been a high priority for me, as I don't use my hardware acceleration near as much as I thought I would (I thought my nice job would give me money to play games: it did, but took away my

But so would not having them feel as if they have to write the damn file from scratch. Is it like totally impossible to just go to the part of the file that it cares about and edit that? I mean, in your universe, they would still have to just modify the fields that they want, they would just have a little less effort to do it.

Additionally, if they (and ATi might not do it, but someone would) break it in a registry-looking thing, it's a pain in the ass to put ba

> The device uses a microprocessor within a headband that wirelessly transmits brainwaves to the clock.

If you want to make it to work in the morning, you've gotta take the tinfoil hat off before you go to bed. And pay no attention to the black van with the three dozen Pringles cans mounted on the roof. We^H^HThey are not monitoring your dreams. Honest.

The article stated that VIA is releasing grand statements, rather than actually doing something. The truth is, though, it isn't just VIA. It's everyone. Even you.
Everybody's problem is, even if you have an idea and a plan, going through with it is difficult. 100% of my clients are fully capable people, however, sometimes they just need a little bit of a push.
That's why we need to SHOW these companies that they WILL get something out of coming into the open source community.
We need to show them we

Firefox needs to disable third party cookies by default. There's no reason why images/iframes from other(3rd party) domains should be allowed to set cookies. I don't see any reason why 3rd party cookies should be allowed, they are frequently abused and used as web bugs that track your web browsing from site to site.

I completely agree. Or, even as a compromise, for those of us who want to be notified of cookies and choose to allow, deny, or allow for session, it would be REALLY nice if the default button was "deny" rather than "allow".

it is really annoying to have to mouse over to the button that I choose the most often.

btw, if there is anyway to change this behavior short of recompiling, I would love to know how.:D

I have never installed Flash on Firefox, leaving that to IE. Aside from the lame timesheet program we have to access via IE at work, viewing Weebl and Bob, and the occasional Flash game, I almost never use IE for anything.

Actually, its also used by sites that use an ASP for site-statistics. Such as HBX (formerly Hitbox) by WebSideStory. These systems depend on cookies (and since they're set by the HBX servers, not by your site, they're third party). These ASPs provide accurate "visit" tracking, instead of just hits, page views, etc. Tracking a visit accurately does require some client-side involvement.

I can't say I particularly like it, but, it is a perfectly valid use of third party cookies.

Note to editors: I think slashback is really good. Many many times have I thought "That's an interesting story", and wondered what happened because of it. For example: Pressuring a multinational corporation. That kind of stuff always appears in the news, but very rarely do we actually see the effect of that pressure (because it isn't deemed "interesting"). In conclusion: I think slashback is one of the best things I've seen on slashdot in a long time.

2) I don't need an alarm clock to annoy my spouse -- I can do that just fine all by myself!

3) I've never actually used an alarm clock. I tell myself what time it is and what time I want to get up just before I go to sleep, then I wake myself up at the optimal point in my sleep cycle. Only problem with this is I tend to wake myself up too early!

I'm probably not the first one who's thought of this but it seems to me that cookie abuse could be reduced dramatically without affecting most websites by doing the following:

"Disable cookies on all images that are being pulled from another domain."

That is, if a web page grabs an image from another domain (a banner, pixel, etc.) then pull it but don't send any of the cookie information for that image.

I mean isn't that the way that most developers track access across websites? You put a one-pixel image and set the cookie through there. Then by reading the http_refer, you know where they've been and associate it to a single user. To track across sites though, this pixel is usually on a separate domain than the site being accessed.

By the way, I originally thought to disable cookies on all images but realized some servers may do security checking via cookies before sending an image. But there is very little legitimate use for sending cookies on images that are outside the domain.

Also, the same could be said of ANYTHING that is pulled off a different domain including scripts, css, etc. If it is on the same domain, send the cookies. If not, then make the request but don't send the cookies.

I would say precious few sites would depend on this behavior and it shouldn't break anything except for the tracking (which we want to break). Not saying that a site couldn't be made to break on this but I can't think of many reasons why a site would.

By the way, I think cookies are great for the most part. SlashDot uses them, I use them, anything with a login (mostly) uses them. I find it humorous when people insist that cookies are evil and you shouldn't have a single one. You can just as easily fake a cookie for a session by sticking an ID in the URL which, personally, I think is worse. Now your personally identifying tracker is available for all to see.

actually, I dislike cookies as session identifiers, as it limits you to one session per browser.A session key in the url allows you to log in multiple times, and possibly as multiple users.

It's not something that you need to do every day - but when you're trying to set up something like a CMS with varying levels of access control, it becomes a pain in the neck to either have to keep logging in and out to verify the way it looks to different users, or have IE, Opera, Mozilla and Firefox all open at once.

But logging in multiple times is only good for you, the builder, it's nice being able to log into a site, lose the window, go to the site again and I'm still logged in.

I personally think things should be built to work well and coherantly for the average person, but not screw up the rest of us.Which will waste more time in total?You opening up a few web browsersPeople having to log into sites a lot more

Ya know what'd be worse? web browsers sharing cookies, then you'd have to use multiple computers.

"By the way, I originally thought to disable cookies on all images but realized some servers may do security checking via cookies before sending an image. But there is very little legitimate use for sending cookies on images that are outside the domain."

Seems to me that'd be a great way to deal with image leeching on the web. Not the only way but not a bad way. One of the neat features of the web is that it can be so inter-connected, but since bandwidth costs money, not everybody feels those features ar

That's already an option in mozilla. One problem is it breaks MSN passport - any site which uses it needs to be able to use a cookie from the passport domain rather than their domain. There's probably other cross-site logins like that it causes problems with. And while you or I may not like passport, there are many many people who use it.

That is, if a web page grabs an image from another domain (a banner,
pixel, etc.) then pull it but don't send any of the cookie information
for that image.

I think you might have missed the point of webbugs...

If you let the image itself load, the site that hosts it doesn't
need you to allow a cookie, you've already given them 90%
of what they want... Any site they partner with, that you visit,
will record you as visiting in their log file. If, on any
of those sites, you enter some personal information

Nah, the binary interface just hides the register specs to their chipset. All the actual mpeg code is inside the chipset.
This is more likely simply an attempt to control the provision of the API to their own proprietary VMI (VIA MPEG Interface) SDK. Basically an attempt to tie people to their platform, so that once you write yoru code to work on VIA systems, you'll have to write it over again if you want to use anyone elses hardware.

...referenced above, and in the previous YRO article [slashdot.org], to set your privacy preferences, or use a Firefox extension. All you have to do is right-click on a Flash object in a web page to bring up a context menu, and choose "Settings..." (although one wonders if this could be disabled at the Flash object author's choosing).

(Actually, I find it more disturbing that a Flash object in a web page could access a local webcam or microphone. Has anyone seen this capability in use?)

Sleep cycles are about 90 minutes long, so setting the alarm at a 90-minute interval from when you fall asleep will make it more likely that you'll wake up on the high side of sleep, and more likely that you'll feel refreshed. The rule fails if something disturbs your sleep pattern, though, which is where this device (if it exists) would be better.

I've heard 90 minutes and I've heard 3 hours. I guess the 90 minutes must just be a further break down of the 3 hour cycles.

From my own experience, it definitely seems to work. If I take I nap and I wake up before 1.5 or 3 hours, I feel really groggy. If I wake up in the morning after getting less than 3 cycles (actually about 8.5 hours for me), I generally have more trouble motivating myself to move. In fact, it seems to be harder to wake up after 7 hours of sleep than 6, I assume due to the cycles. Thank

To see anybody associated with Debian quoting "release early and often"

The problem is, the rest of the Linux world just won't stand around and wait for Debian... I just wish they'd go and say "ach, to hell wi'it..." and shovel it out the door and then issue a service pack some months down the road... you know, like Microsoft do...

Objection 0.1 adds a 'Local Shared Objects' line to Firefox's Options > Privacy panel, allowing you to delete them as easily as you'd delete cookies. It's still pretty rudimentary - all or nothing deletion, working on Windows only - but Slashdotters are more than welcome to improve it. Since Local Shared Objects have the same functionality as cookies, we need the same amount of control over them as we do over cookies - and built into the browser, not tucked away in some obscure Macromedia page."

I find it easier just to use the Flashblock extension. In the (very rare) event I need to run a Flash display, I just click the play button.

I had the same idea about 2 years ago. I checked last night and it's written down in one of my notebooks. Just goes to show that if you think up an idea, chances are someone else has thought of it, or will shortly.

Should have gone for the patent back then;-) Actually, my problem isn't a lack of ideas, it's not having experience with starting a startup...

Is there much of a reason to actually switch from Sarge to Ubantu? Right now I'm running a workstation and a laptop on Sarge. It seems to work very nicely, and it's very up-to-date because I keep it up to date with the Sarge repository, which with the occasional exception (eg. still waiting for x.org), is about as up-to-date as most other distros.

There is a simple reason that the most powerfull PC is used to run Windows games. Because Linux doesn't need an overclocked processor to run a bloody desktop. It will in fact run much better on a P3 dual (easy to get if you realize a lot of dell office machines were sold as dual ready) then on the latest P4.

Overclocking to run a desktop application seems kinda silly. What are you going to do? Overclock your modem so mozilla loads pages faster? Time check the time it takes openoffice to print a page? Better